GDPR

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law, effective since May 2018. It establishes strict requirements for collecting, processing, and storing personal data of EU residents, regardless of where the processing organization is located—its extraterritorial scope means any company handling EU residents' data must comply, even if headquartered elsewhere.

GDPR defines "personal data" expansively as any information relating to an identified or identifiable natural person. Critically, Recital 26 establishes the "means reasonably likely" standard for identifiability: data is personal if the individual can be identified directly or indirectly using all means reasonably likely to be used, considering factors including cost, time, available technology, and technological developments. This broad standard captured dynamic IP addresses as personal data in the landmark Breyer case, and applies equally to pseudonymized data—which remains fully regulated because the ability to re-link exists.

Key provisions include: lawful basis requirements (consent, contract, legal obligation, vital interests, public task, or legitimate interests), data subject rights (access, rectification, erasure, restriction, portability, objection), mandatory breach notification to supervisory authorities within 72 hours, Data Protection Impact Assessments for high-risk processing, privacy by design and default requirements, and the principle of data minimization.

The anonymization standard under GDPR is stringent. Truly anonymous data—where the individual is "not or no longer identifiable" using any reasonably likely means—falls outside GDPR scope entirely. However, the Article 29 Working Party (now EDPB) established in Opinion 05/2014 that effective anonymization must prevent three specific risks: singling out (isolating an individual's records), linkability (connecting records to the same person), and inference (deducing values from other data). No single technique automatically satisfies this standard; context-specific risk assessment is required.

GDPR carries substantial penalties: up to €20 million or 4% of global annual revenue, whichever is higher. Enforcement has been aggressive—cumulative fines exceeded €5.88 billion by January 2025, with €2.1 billion issued in 2023 alone (a record year). Meta alone has faced over €1.3 billion in fines. The EDPB's 2024-2025 work programme includes developing dedicated guidelines on anonymization, signaling increased scrutiny of organizations claiming data falls outside GDPR scope.

The regulation distinguishes carefully between anonymization and pseudonymization. Pseudonymized data—where direct identifiers are replaced with codes but re-linking remains possible—is still personal data subject to full GDPR compliance. The EDPB's January 2025 Guidelines 01/2025 on Pseudonymisation clarified that pseudonymization is a security measure that may satisfy certain "data protection by design" requirements but does not remove data from regulatory scope.

GDPR has become a de facto global standard, influencing privacy laws worldwide including Brazil's LGPD, California's CCPA/CPRA, and comprehensive privacy legislation in over 130 countries. For multinational organizations, GDPR typically represents the most stringent applicable standard and often serves as the baseline for global privacy programs.